rm dotbot; move everything to home manager

hosts/chunk/.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

hosts/chunk/Caddyfile

@@ -0,0 +1,62 @@
+{
+  acme_ca https://acme.zerossl.com/v2/DV90
+  acme_eab {
+    key_id {$EAB_KEY_ID}
+    mac_key {$EAB_MAC_KEY}
+  }
+}
+
+anki.cy7.sh {
+  reverse_proxy localhost:27701
+}
+
+git.cy7.sh, git.cything.io {
+  reverse_proxy unix//run/gitlab/gitlab-workhorse.socket
+}
+
+rss.cything.io {
+  reverse_proxy localhost:8080
+}
+
+photos.cy7.sh {
+  reverse_proxy localhost:2283
+}
+
+matrix.cy7.sh, chat.cything.io {
+  reverse_proxy localhost:8448
+}
+
+pass.cy7.sh {
+  reverse_proxy localhost:8081
+}
+
+dns.cything.io {
+  reverse_proxy localhost:8082
+}
+
+ntfy.cything.io {
+  reverse_proxy localhost:8083
+}
+
+cything.io {
+  uri strip_prefix /blog
+  reverse_proxy /.well-known/matrix/* localhost:8448
+  reverse_proxy /_matrix/* localhost:8448
+  reverse_proxy localhost:8084
+}
+
+www.cything.io {
+  redir https://cything.io{uri} permanent
+}
+
+cloud.cything.io {
+  reverse_proxy localhost:11000
+}
+
+pad.cything.io {
+  reverse_proxy localhost:8085
+}
+
+red.cything.io {
+  reverse_proxy localhost:8087
+}

hosts/chunk/default.nix

@@ -0,0 +1,348 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  disabledModules = ["services/web-servers/caddy/default.nix"];
+  imports = [
+    ./hardware-configuration.nix
+    "${inputs.testpkgs}/nixos/modules/services/web-servers/caddy"
+    ../common.nix
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
+  sops.secrets = {
+    "borg/crash" = {};
+    "ntfy" = {};
+    "rclone" = {};
+    "vaultwarden" = {};
+    "caddy" = {};
+    "hedgedoc" = {};
+    "wireguard/private" = {};
+    "wireguard/psk" = {};
+    "wireguard/pskphone" = {};
+    "miniflux" = {};
+    "gitlab/root" = {
+      owner = config.users.users.git.name;
+      group = config.users.users.git.group;
+    };
+    "gitlab/secret" = {
+      owner = config.users.users.git.name;
+      group = config.users.users.git.group;
+    };
+    "gitlab/jws" = {
+      owner = config.users.users.git.name;
+      group = config.users.users.git.group;
+    };
+    "gitlab/db" = {
+      owner = config.users.users.git.name;
+      group = config.users.users.git.group;
+    };
+    "gitlab/otp" = {
+      owner = config.users.users.git.name;
+      group = config.users.users.git.group;
+    };
+  };
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+
+  system.stateVersion = "24.05";
+
+  networking.hostName = "chunk";
+  networking.networkmanager.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [22 80 443 53 853];
+    allowedUDPPorts = [443 51820 53 853]; # 51820 is wireguard
+    trustedInterfaces = ["wg0" "br-2a019a56bbcc"]; # the second one is docker, idk if this changes
+  };
+  networking.interfaces.ens18 = {
+    ipv6.addresses = [
+      {
+        address = "2a0f:85c1:840:2bfb::1";
+        prefixLength = 64;
+      }
+    ];
+  };
+  networking.defaultGateway6 = {
+    address = "2a0f:85c1:840::1";
+    interface = "ens18";
+  };
+  networking.nameservers = ["127.0.0.1" "::1"];
+
+  time.timeZone = "America/Toronto";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    useXkbConfig = true;
+  };
+
+  users.users.yt = {
+    isNormalUser = true;
+    extraGroups = ["wheel" "networkmanager" "docker"];
+    openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"];
+    shell = pkgs.zsh;
+  };
+  programs.zsh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"];
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    curl
+    tree
+    python3Full
+    tmux
+    borgbackup
+    rclone
+    file
+    sops
+    age
+  ];
+
+  environment.variables = {
+    EDITOR = "nvim";
+    VISUAL = "nvim";
+  };
+
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+  };
+
+  security.sudo.enable = true;
+  security.sudo.wheelNeedsPassword = false;
+
+  programs.gnupg.agent.enable = true;
+  programs.git.enable = true;
+
+  services.caddy = {
+    enable = true;
+    configFile = ./Caddyfile;
+    environmentFile = "/run/secrets/caddy";
+    logFormat = lib.mkForce "level INFO";
+  };
+  # systemd.services.caddy.serviceConfig = {
+  #   EnvironmentFile = "/run/secrets/caddy";
+  # };
+
+  services.postgresql = {
+    enable = true;
+    settings.port = 5432;
+    package = pkgs.postgresql_17;
+    enableTCPIP = true;
+    ensureDatabases = [
+      "hedgedoc"
+    ];
+    authentication = lib.mkForce ''
+      local all all trust
+      host  all all 127.0.0.1/32 trust
+      host  all all ::1/128 trust
+      host  all all 172.18.0.0/16 trust
+    '';
+  };
+  services.postgresqlBackup.enable = true;
+
+  virtualisation.docker.enable = true;
+
+  services.borgbackup.jobs = {
+    crashRsync = {
+      paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
+      exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"];
+      repo = "de3911@de3911.rsync.net:borg/crash";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /run/secrets/borg/crash";
+      };
+      environment = {
+        BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
+        BORG_REMOTE_PATH = "borg1";
+      };
+      compression = "auto,zstd";
+      startAt = "daily";
+      extraCreateArgs = ["--stats"];
+      # warnings are often not that serious
+      failOnWarnings = false;
+      postHook = ''
+        ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
+        $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
+        https://ntfy.cything.io/chunk
+      '';
+    };
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = "/run/secrets/vaultwarden";
+    config = {
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = "8081";
+      DATA_FOLDER = "/vw-data";
+      DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
+    };
+  };
+
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      listen-http = "127.0.0.1:8083";
+      base-url = "https://ntfy.cything.io";
+      upstream-base-url = "https://ntfy.sh";
+      auth-default-access = "deny-all";
+      behind-proxy = true;
+    };
+  };
+
+  systemd.services.immich-mount = {
+    enable = true;
+    description = "Mount the immich data remote";
+    after = ["network-online.target"];
+    requires = ["network-online.target"];
+    wantedBy = ["default.target"];
+    serviceConfig = {
+      Type = "notify";
+      ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
+      ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
+      ExecStop = "/bin/fusermount -u /mnt/photos";
+      EnvironmentFile = "/run/secrets/rclone";
+    };
+  };
+
+  systemd.services.nextcloud-mount = {
+    enable = true;
+    description = "Mount the nextcloud data remote";
+    after = ["network-online.target"];
+    requires = ["network-online.target"];
+    wantedBy = ["default.target"];
+    serviceConfig = {
+      Type = "notify";
+      ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
+      ExecStop = "/bin/fusermount -u /mnt/nextcloud";
+      EnvironmentFile = "/run/secrets/rclone";
+    };
+  };
+
+  programs.fuse.userAllowOther = true;
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = "/run/secrets/hedgedoc";
+    settings = {
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+      port = 8085;
+      domain = "pad.cything.io";
+      allowEmailRegister = false;
+      protocolUseSSL = true;
+    };
+  };
+
+  services.redlib = {
+    enable = true;
+    port = 8087;
+    address = "127.0.0.1";
+    settings = {
+      # settings are just env vars
+      REDLIB_ENABLE_RSS = "on";
+      REDLIB_ROBOTS_DISABLE_INDEXING = "on";
+    };
+  };
+
+  # wireguard stuff
+  networking.nat = {
+    enable = true;
+    enableIPv6 = true;
+    externalInterface = "ens18";
+    internalInterfaces = ["wg0"];
+  };
+
+  networking.wg-quick.interfaces.wg0 = {
+    address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
+    listenPort = 51820;
+    privateKeyFile = "/run/secrets/wireguard/private";
+    postUp = ''
+      ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
+      ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
+    '';
+    preDown = ''
+      ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
+      ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
+    '';
+    peers = [
+      {
+        publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
+        allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
+        presharedKeyFile = "/run/secrets/wireguard/psk";
+      }
+      {
+        publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
+        allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
+        presharedKeyFile = "/run/secrets/wireguard/pskphone";
+      }
+    ];
+  };
+
+  # adguard
+  services.adguardhome = {
+    enable = true;
+    host = "127.0.0.1";
+    port = 8082;
+    settings = {
+      http.port = "8083";
+      users = [
+        {
+          name = "cy";
+          password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
+        }
+      ];
+    };
+  };
+
+  services.miniflux = {
+    enable = true;
+    adminCredentialsFile = "/run/secrets/miniflux";
+    config = {
+      PORT = 8080;
+      BASE_URL = "https://rss.cything.io";
+      FORCE_REFRESH_INTERVAL = 0;
+    };
+  };
+
+  services.gitlab = {
+    enable = true;
+    https = true;
+    host = "git.cything.io";
+    user = "git"; # so that you can ssh with git@git.cything.io
+    group = "git";
+    port = 443; # this *not* the port gitlab will run on
+    puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
+    sidekiq.concurrency = 10;
+    databaseUsername = "git"; # needs to be same as user
+    initialRootEmail = "hi@cything.io";
+    initialRootPasswordFile = "/run/secrets/gitlab/root";
+    secrets = {
+      secretFile = "/run/secrets/gitlab/secret";
+      otpFile = "/run/secrets/gitlab/otp";
+      jwsFile = "/run/secrets/gitlab/jws";
+      dbFile = "/run/secrets/gitlab/db";
+    };
+  };
+}

hosts/chunk/hardware-configuration.nix

@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/6fff5dd4-8d7a-43fa-85be-eec74ef2089e";
+    fsType = "ext4";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/chunk/secrets.yaml

@@ -0,0 +1,40 @@
+borg:
+    crash: ENC[AES256_GCM,data:vEeCjPi62gEy29F7HbUFOLTg9yLdppKL2w==,iv:4gYocu4xSFyoupzyQgfnzrxhFVDLAGeY3OnLiVZmwnE=,tag:p7JxbSeKYWHK/YJ8tx1hKA==,type:str]
+anki:
+    cy: ENC[AES256_GCM,data:5XNv5jaC9/T6E/8KaQM=,iv:xneSmhtb+CTyTJFjeSe4Cdun/AT5x1fwqvPTtBaWWS8=,tag:Vw1JkIg+m62kCAMLM0z7/g==,type:str]
+ntfy: ENC[AES256_GCM,data:IShnk2cH/oKUwHCEfA==,iv:bEshwLBbIdwg0CJhonaOZtTJkfHY70YSUwfcsAYB98E=,tag:tD3uWleBwxFlKHqQOOLE4w==,type:str]
+rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShYKwEPsoe+,iv:cTn8Z/fxWmGW8iPS6DcrjUe0RUZXOi0D1LVnIxCLPSo=,tag:Ie8JWis40JN9mca4OjfInw==,type:str]
+vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str]
+caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str]
+hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str]
+wireguard:
+    private: ENC[AES256_GCM,data:jAarkXsz8ldGW+HHNeMNWOg/EIqKXQfPKwg+fbSEHSGTLoGHgihylYYK09U=,iv:6oAzkS5IZ/GWYv4JwBIprlN1EmquYffR+dtXyYiCm1g=,tag:DnC/uDNhj39CY6tsihdxDQ==,type:str]
+    psk: ENC[AES256_GCM,data:VyxJORdC1ulZP1jSeh8TTqI/RJYcjeJtsPrBtUGZlWHjNodrzXSkoilPD1g=,iv:q6PyTFVnb4QAM/OpnBY0DPIaido0KPW8UQ6nJlpVd0o=,tag:BMfhQKZmaN+kCjXS2tT6Sw==,type:str]
+    pskphone: ENC[AES256_GCM,data:AFpadV3fb+Lm1vHOJO5/u9e0uWO3DVJDElGVWWhdga/5OrZnX3bN4rUoXDc=,iv:TJSGU5dlST0YzramkpKxK8I0sLvDokkQpqVZUGJdZTE=,tag:wxIe6UNpleiPlP6J3vooTw==,type:str]
+miniflux: ENC[AES256_GCM,data:zmhxXdRnr0a16fY+hDBWj/iFNs28pSYK3U4JzS5Fm8LI0ybMKhftdEBmG40hEf3j,iv:motr8l0GwrX1BwYok8rKDrwyskeqp65WTUwahLPTVgM=,tag:bO4qQypUF81vRbOsaE/erQ==,type:str]
+gitlab:
+    root: ENC[AES256_GCM,data:PxdbIBekpkS4NazOFQvRALBIRg==,iv:c6u/7vcKAyZWYr3oL8GUzaKxrr8fX6Iek4V2fU2y4/I=,tag:+rUfzS4Jt+ikrqoMhXUi0g==,type:str]
+    secret: ENC[AES256_GCM,data:gyeJNGsDYPmP2tkZ0qYpUvDlXAhKvRYW35Y6eysgU6rx+Io=,iv:6QAQNGxddAOd2HsqhsT33xEvls54J+iGqrxfVVQVro4=,tag:5PBnW9YboXLmP/5dnA2YMg==,type:str]
+    otp: ENC[AES256_GCM,data:LQJ57scvNXWjclfAz63nsFD1QJ+OeenP4l4ZRn4BPAvRAkg=,iv:3w5rJhi1ZxQ7TGExTpi1GkE4zGgw6NSJuuUavLwzhAM=,tag:wXMSJwIRLLc3bUWFSIdk8A==,type:str]
+    db: ENC[AES256_GCM,data:VcvaXbHHlRxaKok8USnc16onFqzPZI5yf3EAROrFVbKAkyE=,iv:lwc+7c8MERL3YjVObrIC60e2yk5NRt8RCvuvB1JF1UQ=,tag:y3HlkvjdT12h9Gg48Han1g==,type:str]
+    jws: ENC[AES256_GCM,data:Re/mrF4ElJ/FNoxQRl/XwoudDXib1E0Pv4awFc6rDxEOA1xKHiaA2nqZEzI0JwJxFfkIM/Suty7tBI32qZnYI/kUW80Qn7gHlNEJtz+4VxJIk+XoTwZ8rq413E8TpreyAxu1MDwtJAFmw00t33kttGBjT8OlnoGbbQb70A1g1svR+Pb2FdHPmZ4Rg1DX/ZLobXGfhLXCCVlWvn41u46tMX3JTRBxEuDlOON1HQC6Ij8ObpVbZdBFaBcjrxlWPneKtRb2oO1wvGI3OL9+VzdhFdb5xH3SgkLMkgvZHOfjfTwZunsnAH5+mV2x7gI2LLy5mySqJHEq3WabSWvdcHg0i4ZW0tmOjr1HXAPqYiTVJp9lmIqwbbntIKTT2dfuEe1wWAs1SdwQw/2LdhXz6VfYILbRTCpRdnM0rqUBs+fjWnx9ygV71UesCYPlJx32wjDQURZEWs/Gf730h99+daDUwj3FPXzq6svtlMQMs627yyVAbLHD7HTc4dQ+3ulRYP3nDYK9HKN+BbYHZWRMoABKeJ/vCslIupRq268tiyBbGcnxIZJwPiDDSE9BNwcMav71VLrimXmibHwQGQA7yPfyRcwZEjBQ5kEyCtiKZQy5fhzvjx2CU3BZgBQxLCat0v+PRXPDO/778XyCtmUaie3II5+jqqhXhBINo3dOcbPfCuYUj2VyuHDgokhkDwPIFU9fEzlBBRMSX0SC5i7CKlWbwT7b6/Aylg0xk1UOyMQUEQIgzJh1qL5+3uS6zYpw3ZQi0Lp1UJ4J++L8scL1ecatFFW3MYiLRyBXL9vIcod/vysLfS9klL0HvBqv+CPm6pC9w8rMHIV/hjsSu0IFszN1olp9BzW2KFd9hLNq6xVlFoVZhxNI2XiQ6KARQLTVdaluUfxuutfKBi/+mQcJgPRKp5VCQ5Xw3vVYLIkgmgqdg+Axwb1Cb11UVRHNchkoE1RcYkZQudVpIn6ONFWpmi6RnAU/4pXjtbKO8XBNHx4hU4sD8WRm/ryBIMRLsCd3TtPd960RGkHSx9WP1bvwQ8SgaF5wwimckM1LqhZHPBNnaC3k4TjDuCpk+4BuaUqRONz9tCcDHoEpaNzNxKS0/dfYzRsBw7APlLuNU5eSuSKUbgc2/L9BhLxuJLSc1TWJR7MJX/zVx3IA8GWNFaZGyIBWx/XFb2Ibqsk0uJyid2xdSeBqKUxtUaWYo3LwaWqtZQ3KRL6segMGcop4CXl5E+9XZaf6mekLx6COuYeaVOje28u3pierRvpea5do5FwSyBHCme9bvffMnf5aRdIHLlE9vuvR2AvpjJ735sxru0jtLTqtOKfTlmaJZt0TOIS9iL5CVrJ0yyHnafUJd6ldH6SpO4LZ+Nb+Lc3sh1F4gPPc3gBzB9xTHfgSp2JIutRr6Gf0E5RgKpk9v+BBdEYb/o2emxUgzpmKjhvOWfdVGtwvt3zjADcugKEac/v4rH52FiUHoJbY9K/b0+x/JRUNei3gM+sxKW8CN3HsMOLOBVUbH3nfAXQ/hoRkJIDrhApPw6Mq9GEUlM/ruFpIYLXR+rwWg0u1kmJOEg0rVzrwTUmaUHd3BvGUVzIqspvcj8a32bXOUPn61hc5YWg8/MYyAFQQF6EvM4RUQZ0ibYAvJz9dFrI2GA73pws5xdaIz0ZvrgsIqn7facyg+nWB3azbKQEdDtrmqxP/vzJZJ3DnkDi2aJX4VKLZ1rkX/vSmt8po9psRMJT5p8URhaM4embJkZs25Lo13xVkl7K1cR68SHCDCPSD/BjWwpne12j3Ggdm9xo16+r5DO1RErraJJmzJ4cddbgFpNYZ7Uc+HgmLD9kihKfsnqN8VcZjetuTqlh8Iy2d73PLgoMtAeFa/+z5bG8ut+ThIZfy8/nr1xWMCniGorfXr+gMwotxDkHG+al26EOiDiCAdkw7dbSpJ/21UBl9FRbgy+pK6oDHUwQKxjO2VNdAwlLxmVlzFA3Nf/qx1tkvG8ASGdrPYLkrxOWw3C/Ua+ucyuBrWU8e4BV7Y/5EnlnPXm616u+fR1ymR2XuRyzp9ek78IzOk9TtGsUXCzwDKp8iQaC22KvmIwjZH+bHAg1ToVnZvRT47ygWC7TPb/wLXIn+uf/0dSZb7+KkNymG7Fcw+Z1zPQF5DbIu+icvlH4QKU4mq/j5fFFnfFp/MrRtZuhgV5r1KcDaN1zB8CoeTny60JZ+35Fy3m5mVEiJS/Vaz91Ha5lTI5B3hdGyvGTwENDSQY8ek9Tz6Rbp+dJBGUCgnHNwc6T9BXGc9YIg4JZkEpFk+GCGu8doaxXXsTCdDibVRra8+clZi3eIgiEdQMLQSgKbaib2iTeAthLmiuz9mMkwmq66CDuvcuSkajkmJsmVeFXJylCYyGCpC1qy8P6X7HPYMxFdiuwA+1kdRpg5MMoiAtIle+YBikEshFJpjX1NU5cWZEhOxd1T7LFbHiCP/6ZWnAPoqCnTc/cib5qcDCYwmP0q1U9vBv3dllhBeyl2Zh4ztllUfgwIgFFT6ky2VKtEtqkR7YCtumax26VxJYDCjI9j9miIJBCtocq5Msa15YXTCAFN2rVFEaJrEJxaHENwQR4YNvzoYVMdWPuOAaxyu2vtXfaG0gYA4cN1Xl+k+cnBcF/Qd5P6ePVxuw6ICouuebwUytZ7XWPeQiOJESNHDjVCj7KKAfT95ZjKzLm0lemUFSXtgr5bUsMooto+geIDo5gkcqtFexiwx+f7gu+0/0K5MxYDOmDKNtizjzNmgM8R8PvM3sbmfc068UdYgQylJiKFn9AVxkjAiCogqdYZBiadCUE+NRhNX0m7fZweaWvwX2pHvQ3KrfWUl+tB0i4RZVZFonHpk5gHSpUHRvU0D4oqKw/ssQLtHzW0hRvsDDqWRMl7dyyiOHvK1dLj+mCH/tbtKJMXupcS5U+XnBR2o2TbEoCw9HVwZPKdoiRcfEpjxn8CT/oV6pl9uFz4c+FKrjMcXSEE0d4I0piN++h/b6c/e9JPPEuTPsJ5PjUTGP/ghww9B0YnSF8yAvG/LgLYv1lJceO/qIR8GdkykW6J5w2bHh9zcDC6Y+4IiZaSKG9HoHUXbTnq/fqDLFxB9AJrZ1NrXrUUVEx/EDTAhZZTrW9vcdhByuqmQHONUwxrDdHqMF9YZZdkeAWZCJDRbBxqOqNNHax/oCduj9IP38Rp2lCtJv1wkIhumlOZQ71yslr3wRS05Aw4AKKs7QmBslVg5T5aV9QF7SC+mYLqqEdPH1p3mL5M+HWWoGh+ABqFTBIAT5+XqDRtZmpHjc1AVFii9CjPdHi4u0qvimQtcjXcHVBL0AlTYUlyl9yxZo/D+hgKQmhomc3TOI0LH7ON2WfTgFDEhe8KgRJq78oJ5Ejm6iu17rE/T3Y8F+elM7ezCgoN5r5QZeRK1y5/uq3xz957JH09MSFEHj1ULp9OIbXZzGAm1PuUozLLCS77VDyHEoa9YN8YiCIcji2hlpzQf7s56E22eqdENcE7kiMg5C8qK6rcTAOplU9/3Lelrx67hLlUtQD8Nz00aCSz1dqM/ASUx6szN6euLLgY1+XAtaQQrePCOOooNHJmOW8nW7Op3FCtrX8c8SqO3MnK6+U2emKODjGDdTowr8+f43ddLPYz83POTXefsrYUZ5SKZXbe0B+3cVTTE3Dx58u5Fg3caea94AZFMbvR5OsN1vzU3gcoK0QtZ4FNzg0zlPHjrCANGWNSmaqL6gEC+Sd/Oys+mZtH4cLMC8vkye6HpS8qCB4jisZ5CXjvnkKORznwIH4kMnOZJ7Z3j9Z4KvphV1+Lbtc2Oqo/cTSlhb2MIB0bTOsEcJOwomTPoiBTX+eZZ6ut16GG2ggGaucdqvxAienqH5WGFNIods9plcbDt6PIqb+spf2Iqw261gFtGLWleXdEP8SWMHYSuaOXpqp1FM5dxw4M/oG+6q3opis/DitVpVHaZoGYjd/WvqOW4WEy8ummP76ZqfZ2cRKkiMHT9u7eb9vZuq1lJ0ARJgbNxqygmksbpswzXZ9JxmhykhUps/GNgM8OTWxfgakuqTlZ2gGBXxeCI5M3a1nkBxW0VNUd5NNJeIbwSe/OP5FYIHcS7cGU07eRGYvVEUeE/rEE+H1icyjVmcQALXOo95RTU4bteuQZQLtDlpQToxAQ/CiOay1DqVI/BSlHSRkDdIMSBMhSg3lHDU77Y2iE0pkdTxgEP1fbXoNEWz3XP0vawVlbNw/o4kzMxNmDsvC+iqhhzlF95JVPvW/8GjLpI77Nlrjw0yVh3f43mL6xgAoYkX04TxyUU+iBKLlHuytD6mhYluAFTD8IgHZcIuhD/SpvWFgIg9UaBY6k7WEjL0aq8ZFEMTk+vjDTHG4=,iv:h9/CWcgxHw9aP6c3LV+MnbZcbmKfzdFDuiAXC00INbw=,tag:wXrzzBgEJ8lOCCUDu5Drsg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTkUySDA1ODMxWlF0MmpQ
+            N1ZzTGRjRVB4dnJmSXA3dzJIdmprMk5BN2dJCkxIVTlmOHAwOWNkRWt5UGUrUEFY
+            RVNSWml2M2JRT1BLaUhvd3N3QzZLT1UKLS0tIG1LbXJiSGwwYjVFRkNlcVQ0cDUx
+            R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/
+            sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-15T04:20:13Z"
+    mac: ENC[AES256_GCM,data:C47fzHJpOktv2tPlRK2KronOMzcWtFXFtSAmj/goo8jGCN+Vh2PcOC66Pe4F1aH8FuWs0JqD5u7pXIydYx1UaS+Z7eSENfi//6l1sJS3VAblLmWKEgLFuDoDZHw89X9LXudRKrRkGwILGasBXt/xkamcCZL7O2v++XtACWcB+9s=,iv:FoYz3xt7q6AOZ0Is20puTmy/c3ufEiw+DDnGLdiVoMQ=,tag:GDPNV1jP2d9TTLUALquHiQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

hosts/common.nix

@@ -0,0 +1,21 @@
+{...}: {
+  nix = {
+    settings = {
+      experimental-features = "nix-command flakes";
+      auto-optimise-store = true;
+      flake-registry = "";
+    };
+    channel.enable = false;
+    optimise = {
+      automatic = true;
+      dates = ["03:45"];
+    };
+    gc = {
+      automatic = true;
+      dates = "19:00";
+      persistent = true;
+      options = "--delete-older-than 60d";
+    };
+  };
+  time.timeZone = "America/Toronto";
+}

hosts/ytnix/.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

hosts/ytnix/default.nix

@@ -0,0 +1,281 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ../common.nix
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.defaultSopsFormat = "yaml";
+  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
+  sops.secrets = {
+    "borg/yt" = {};
+    "azure" = {};
+    "ntfy" = {};
+    "wireguard/private" = {};
+    "wireguard/psk" = {};
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.cleanOnBoot = true;
+    kernelPackages = pkgs.linuxPackages_latest;
+    extraModulePackages = with config.boot.kernelPackages; [
+      rtl8821ce
+    ];
+  };
+
+  networking = {
+    hostName = "ytnix";
+    wireless.iwd = {
+      enable = true;
+      settings = {
+        Rank = {
+          # disable 2.4 GHz cause i have a shitty wireless card
+          # that interferes with bluetooth otherwise
+          BandModifier2_4GHz = 0.0;
+        };
+      };
+    };
+    networkmanager = {
+      enable = true;
+      dns = "none";
+      wifi.backend = "iwd";
+    };
+    nameservers = ["31.59.129.225" "2a0f:85c1:840:2bfb::1"];
+    resolvconf.enable = true;
+    firewall = {
+      allowedUDPPorts = [51820]; # for wireguard
+      trustedInterfaces = ["wg0"];
+    };
+  };
+  programs.nm-applet.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    pulse.enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    wireplumber.extraConfig.bluetoothEnhancements = {
+      "wireplumber.settings" = {
+        "bluetooth.autoswitch-to-headset-profile" = false;
+      };
+      "monitor.bluez.properties" = {
+        "bluez5.enable-sbc-xq" = true;
+        "bluez5.enable-msbc" = true;
+        "bluez5.enable-hw-volume" = true;
+        "bluez5.roles" = ["a2dp_sink" "a2dp_source"];
+      };
+    };
+  };
+
+  services.libinput.enable = true;
+
+  users.users.yt = {
+    isNormalUser = true;
+    extraGroups = ["wheel" "libvirtd" "docker"];
+    shell = pkgs.zsh;
+  };
+  programs.zsh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    tmux
+    vim
+    wget
+    neovim
+    git
+    python3
+    wl-clipboard
+    mako
+    tree
+    kitty
+    borgbackup
+    brightnessctl
+    alsa-utils
+    nixd
+    veracrypt
+    bluetuith
+    libimobiledevice
+    pass-wayland
+    htop
+    file
+    dnsutils
+    age
+    compsize
+    wireguard-tools
+    traceroute
+    sops
+    restic
+  ];
+
+  environment.sessionVariables = {
+    NIXOS_OZONE_WL = "1";
+    ANKI_WAYLAND = "1";
+  };
+
+  system.stateVersion = "24.05";
+
+  services.gnome.gnome-keyring.enable = true;
+  programs.gnupg.agent.enable = true;
+
+  services.displayManager.defaultSession = "sway";
+  services.displayManager.sddm = {
+    enable = true;
+    wayland.enable = true;
+  };
+  # security.sudo.wheelNeedsPassword = false;
+
+  fonts.packages = with pkgs; [
+    nerd-fonts.roboto-mono
+  ];
+
+  hardware.enableAllFirmware = true;
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+  };
+  services.blueman.enable = true;
+
+  programs.sway.enable = true;
+
+  services.borgbackup.jobs.ytnixRsync = {
+    paths = ["/root" "/home" "/var/lib" "/var/log" "/opt" "/etc"];
+    exclude = [
+      "**/.cache"
+      "**/node_modules"
+      "**/cache"
+      "**/Cache"
+      "/var/lib/docker"
+      "/var/lib/private/ollama"
+      "/home/**/Downloads"
+      "**/.steam"
+      "**/.rustup"
+      "**/.docker"
+      "**/borg"
+    ];
+    repo = "de3911@de3911.rsync.net:borg/yt";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat /run/secrets/borg/yt";
+    };
+    environment = {
+      BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
+      BORG_REMOTE_PATH = "borg1";
+    };
+    compression = "auto,zstd";
+    startAt = "daily";
+    extraCreateArgs = ["--stats"];
+    # warnings are often not that serious
+    failOnWarnings = false;
+    postHook = ''
+      ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "ytnixRsync: backup completed with exit code: $exitStatus
+      $(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
+      https://ntfy.cything.io/chunk
+    '';
+  };
+
+  services.btrbk.instances.local = {
+    onCalendar = "hourly";
+    settings = {
+      snapshot_preserve = "2w";
+      snapshot_preserve_min = "2d";
+      snapshot_dir = "/snapshots";
+      subvolume = {
+        "/home" = {};
+        "/" = {};
+      };
+    };
+  };
+
+  programs.steam.enable = true;
+
+  services.logind = {
+    lidSwitch = "hibernate";
+    powerKey = "hibernate";
+  };
+
+  xdg.mime.defaultApplications = {
+    "application/pdf" = "okular.desktop";
+    "image/*" = "gwenview.desktop";
+    "*/html" = "chromium-browser.desktop";
+  };
+
+  programs.thunar = {
+    enable = true;
+    plugins = with pkgs.xfce; [
+      thunar-archive-plugin
+      thunar-volman
+    ];
+  };
+  # preference changes don't work in thunar without this
+  programs.xfconf.enable = true;
+  # mount, trash and stuff in thunar
+  services.gvfs.enable = true;
+  # thumbnails in thunar
+  services.tumbler.enable = true;
+
+  virtualisation = {
+    libvirtd.enable = true;
+    docker.enable = true;
+  };
+  programs.virt-manager.enable = true;
+
+  services.usbmuxd.enable = true;
+  programs.nix-ld.enable = true;
+  programs.evolution.enable = true;
+
+  # this is true by default and mutually exclusive with
+  # programs.nix-index
+  programs.command-not-found.enable = false;
+  programs.nix-index = {
+    enable = true;
+    enableZshIntegration = true;
+  };
+
+  xdg.portal = {
+    enable = true;
+    wlr.enable = true;
+  };
+
+  programs.obs-studio = {
+    enable = true;
+    plugins = with pkgs.obs-studio-plugins; [
+      wlrobs
+    ];
+  };
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-media-sdk
+    ];
+  };
+
+  services.ollama.enable = true;
+
+  # wireguard setup
+  networking.wg-quick.interfaces.wg0 = {
+    address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
+    privateKeyFile = "/run/secrets/wireguard/private";
+    peers = [
+      {
+        publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
+        allowedIPs = ["0.0.0.0/0" "::/0"];
+        endpoint = "31.59.129.225:51820";
+        persistentKeepalive = 25;
+        presharedKeyFile = "/run/secrets/wireguard/psk";
+      }
+    ];
+  };
+}

hosts/ytnix/hardware-configuration.nix

@@ -0,0 +1,67 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=root" "compress=zstd"];
+  };
+
+  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13";
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=home" "compress=zstd"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=nix" "compress=zstd" "noatime"];
+  };
+
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+    fsType = "btrfs";
+    options = ["subvol=swap"];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/29B7-F46D";
+    fsType = "vfat";
+    options = ["fmask=0022" "dmask=0022"];
+  };
+
+  swapDevices = [
+    {
+      device = "/swap/swapfile";
+    }
+  ];
+
+  boot.resumeDevice = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
+  boot.kernelParams = ["resume_offset=53224704"];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/ytnix/secrets.yaml

@@ -0,0 +1,29 @@
+borg:
+    yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str]
+restic:
+    azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
+azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
+ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
+wireguard:
+    private: ENC[AES256_GCM,data:hPfJis6gbPPguuhNBViiZDmeFSaUXsgRrCGrhTFzbySIytVuaieU0BJSJQo=,iv:tYU41JTeB7Y50RQr1b+zGCgB5voZec2Vfmd350J1Tgc=,tag:aFMZoJhMToJDuuV8dc5Acg==,type:str]
+    psk: ENC[AES256_GCM,data:NhQ1lYFpjTpqbkhYyEpEcBTf6vewSeGevUnvCmruoZMSGA2ZWs+le8a0tAA=,iv:aBeVhzUwzBgochk4vtdqnUv61dZ5jELh28amx8XqyFI=,tag:9TvGx+sJaicX52FitOpOdA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90
+            a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH
+            SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3
+            a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
+            ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-14T23:07:47Z"
+    mac: ENC[AES256_GCM,data:GQUbR/ApVo6E5jqkGo79GDkRv7nj7Sa16ROCTg0uYO0xDmv9h/bPWBTUOfsU0G/0g3OvohLkBbmYA+hMx24xlLQzQkh8Z3dyAn9CcAJ2j9JLY7qHtSBpvafyPptvKzmPU0mnQpShgqYPCUhF6A2B2YAAvW+TknBih7eiKKeidkc=,iv:XLKIad/LZWuWUrrcXtF0UyNccLhoB0VSWXYCGDq/7Uc=,tag:lNyMV8Ses28gOj+KINem5A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2